This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

ISE TrustSec Maxtrix - Import empty cell

Dear team,

I'm trying to find a way how to easily delete a lot of policies from an existing TrustSec matrix. Based on documentation this seems to be the right way:

"Check the Overwrite Existing Data with New Data check box if you want to overwrite the existing policy with the one that you are importing. If empty cells (cells that are marked with the "Empty" keyword in the SGACL column) are included in the imported file, the existing policy in the corresponding matrix cells will be deleted. "

However it doesn't seem to work (ISE 2.4, patch 2) - there is no difference if the keyword is empty/EMPTY/Empty and if single or more SGACLs are allowed per cell - the policy is not removed.

Re: ISE TrustSec Maxtrix - Import empty cell

Hello Krishnan,

thank you for your advise. Workaround will do the job in smaller matrixes but will be time consuming for larger changes (we expect to change 50+ cells multiple times after some testing period to go from specific SGACL to fallback to the global matrix rule and the idea is to alway prepare CSV file for this to speed-up the operation and minimize possible errors).

Browser cache was cleared, also all recommended browsers from compatibility matrix were tested under Win10 - FF, IE11 and Chrome but not difference. What we however observed was that despite the fact that SGACL cannot be removed it can be changed to another SGACL.

When doing debugging following items were set to DEBUG as per docu:

Problem: TrustSec

Attributes to be set to debug level:

sxp (sxp_appserver/sxp.log)

sgtbinding (sxp_appserver/sxp.log)

runtime-AAA (prrt-server.log)

nsf (ise-psc.log)

nsf-session (ise-psc.log)

Following error was noticed in all browsers on 2 different PCs when doing the empty cell import:

show logging app ise-psc.log tail

2018-09-17 09:56:03,121 ERROR [admin-http-pool2025][] cpm.admin.importexport.action.GenericImportUploadAction -:admin:::- Schedule exceptionorg.quartz.ObjectAlreadyExistsException: Unable to store Trigger with name: 'client report time' and group: 'DEFAULT', because one already exists with this identification. at org.quartz.simpl.RAMJobStore.storeTrigger(RAMJobStore.java:314) at org.quartz.simpl.RAMJobStore.storeJobAndTrigger(RAMJobStore.java:194) at org.quartz.core.QuartzScheduler.scheduleJob(QuartzScheduler.java:822) at org.quartz.impl.StdScheduler.scheduleJob(StdScheduler.java:243) at com.cisco.cpm.admin.importexport.action.GenericImportUploadAction.defineSchedule(GenericImportUploadAction.java:162) at com.cisco.cpm.admin.importexport.action.GenericImportUploadAction.processReport(GenericImportUploadAction.java:494) at sun.reflect.GeneratedMethodAccessor3339.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.cisco.webui.action.common.PojoActionProxy.performExecution(PojoActionProxy.java:396) at com.cisco.webui.action.common.PojoActionProxy.execute(PojoActionProxy.java:232) at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58) at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67) at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51) at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191) at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305) at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191) at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:449) at javax.servlet.http.HttpServlet.service(HttpServlet.java:635) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.UserInfoFilter.doFilter(UserInfoFilter.java:142) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.NavigationalViewPreferencesFilter.doFilter(NavigationalViewPreferencesFilter.java:99) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:728) at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:467) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:392) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:311) at com.cisco.cpm.admin.infra.utils.WebRequestForwardingFilter.doFilter(WebRequestForwardingFilter.java:43) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.WebCleanCacheFilter.doFilter(WebCleanCacheFilter.java:42) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.rbacfilter.AccessCheckFilter.doFilter(AccessCheckFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.LogFilter.doFilter(LogFilter.java:83) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.RequestHeaderRefererValidationFilter.processRequest(RequestHeaderRefererValidationFilter.java:53) at com.cisco.cpm.admin.infra.utils.RequestHeaderRefererValidationFilter.doFilter(RequestHeaderRefererValidationFilter.java:39) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.RequestHeaderValidationFilter.doFilter(RequestHeaderValidationFilter.java:141) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.RequestHeaderSanityFilter.doFilter(RequestHeaderSanityFilter.java:114) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.UserInfoFilter.doFilter(UserInfoFilter.java:142) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.ImportParametersFilter.doFilter(ImportParametersFilter.java:56) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.xss.XssCheckFilter.doFilter(XssCheckFilter.java:133) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.LoginCheckFilter.doFilter(LoginCheckFilter.java:359) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.ParamFilter.doFilter(ParamFilter.java:72) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.CommonRequestParameterFilter.doFilter(CommonRequestParameterFilter.java:67) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:123) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.NavigationalViewPreferencesFilter.doFilter(NavigationalViewPreferencesFilter.java:99) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.ise.tomcat.xss.FilePathCheckFilter.doFilter(FilePathCheckFilter.java:72) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.ResponseHeadersFilter.doFilter(ResponseHeadersFilter.java:63) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at com.cisco.cpm.admin.infra.utils.RequestDecodingFilter.executeNextFilter(RequestDecodingFilter.java:143) at com.cisco.cpm.admin.infra.utils.RequestDecodingFilter.doFilter(RequestDecodingFilter.java:94) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:595) at org.apache.catalina.valves.RequestFilterValve.process(RequestFilterValve.java:319) at org.apache.catalina.valves.LocalAddrValve.invoke(LocalAddrValve.java:47) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) at com.cisco.ise.tomcat.valves.GuestVlanUrlRedirectValve.invoke(GuestVlanUrlRedirectValve.java:80) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.valves.MethodsValve.invoke(MethodsValve.java:52) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745)

If there is any better debug approach to catch more details about the error? It looks that import is failing and that is preventing to override the policy however in GUI successfull message is shown saying 1 cell was imported (only 1 policy change in CSV file) but matrix is without any change. Is there any other way how to carry out this type of bulk imports?

As of June 2020, the Cisco ISE pxGrid App for QRadar Ver 1.1.0 is officially Validated and released by IBM, available for download from IBM XFE. Access the link to download app here.
Overview
The Cisco ISE pxGrid App V1.1 supports Cisco Identity Se...
view more

i have an ip that is part of our internal network, i configured route map on the core to redirect the traffic to the firewall for further inspection.i checked the firewall logs i can see the traffic is redirect to the firewall successfully. i could ping o...
view more

Hi, 1)May I know wht it means when context visibility Status showing 'disconnected" and '(blank)'?Difference between 'disconnected" and '(blank)'. Since both devices also not connected.I found tht these devices are no longer connected to the swi...
view more

Hi ,I would like to configure multiple public ip (same subnet) on outside interface of ASA.I want to use static NAT for specific purpose.For example i have 8 public IP and I want to use 1 is internet ,1 for VPN ,1 for DMZ server and all ip want to a...
view more

Hi all, Is it a way to retrieve the IPS policies from our IPS Appliance or censor? I have tried to look for a way but I am not able to do so. May I knwo any way can retrieve the policies from the Appliance either from the Appliance itself o...
view more